On Wed, Dec 21, 2022 at 08:15:59PM +0900, Junio C Hamano wrote:
> This is not a new issue, but I am not sure if "never touch the disk"
> is a honest thing to say (I know there is no "write this in a file"
> done by the cache daemon, but the running daemon can be swapped out
> and I do not think we do anything to prevent the in-core structure
> credential_cache_entry from getting written to the swap.
Right, we don't do anything like mlock(), mostly because of the
portability problems (though obviously we could make an optional
wrapper, which is strictly better than the status quo). On the other
hand, neither does git itself, so we're only holding credential-cache to
the same standard. Arguably the cache holds credentials longer, but a
fetch or push may run for quite a while bottle-necked on network or pack
generation/indexing (and both of those operations create memory pressure
which may trigger swap).
But I agree that it is more accurate to say "does not touch the
filesystem" or your "instead of written to a file".
> Taking all of the above together, perhaps something like this?
>
> ... caches credentials for use by future Git programs. The
> stored credentials are kept in memory of the cache-daemon
> process (instead of written to a file) and are forgotten after a
> configuarble timeout. The cache-daemon dies with the cached
> credentials upon a system shutdown/restart, or when it receives
> SIGHUP (i.e. by logging out, you disconnect from the terminal
> the daemon was started from); the latter can be disabled with
> credentialCache.ignoreSIGHUP configuration. The cache is
> accessible over a Unix domain socket, ...
That seems reasonable. I was going to suggest also mentioning that we
can ask the daemon to exit manually, but that is pretty well covered
later in the document. On the other hand, it may make sense to put all
of this together in the description.
As brian mentioned, not every system behaves the same with respect to
SIGHUP here. So we may need to be a little more vague here.
So maybe more like:
...are forgotten after a configurable timeout, or if the daemon exits.
You can ask the daemon to exit manually, forgetting all cached
credentials before their timeout, by running:
git credential-cache exit
The daemon will also exit when it receives a signal. Depending on the
configuration of your system, this may happen automatically when you
log out. If you want to inhibit this behavior (and let items time out
as normal even when you're logged out), you can set the
credentialCache.ignoreSIGHUP configuration variable to `true`.
There are many possible variations, of course. I was mostly just trying
to get across the point that:
- there are several ways for the daemon to exit
- sighup / logout handling may depend on your system
And I am happy with any text that says so.
-Peff
